yum install openscap openscap-scanner scap-security-guide
$ rpm -qa | grep openscap
openscap-scanner-1.2.16-8.el7_5.x86_64
openscap-1.2.16-8.el7_5.x86_64
Here is how to get a report of your compliance.
# oscap info "/usr/share/xml/scap/ssg/content/ssg-centos7-ds.xml"
Document type: Source Data Stream
Imported: 2017-10-19T18:41:07
Stream: scap_org.open-scap_datastream_from_xccdf_ssg-rhel7-xccdf-1.2.xml
Generated: (null)
Version: 1.2
Checklists:
Ref-Id: scap_org.open-scap_cref_ssg-rhel7-xccdf-1.2.xml
Status: draft
Generated: 2017-10-19
Resolved: true
Profiles:
xccdf_org.ssgproject.content_profile_standard
xccdf_org.ssgproject.content_profile_pci-dss
xccdf_org.ssgproject.content_profile_C2S
xccdf_org.ssgproject.content_profile_rht-ccp
xccdf_org.ssgproject.content_profile_common
xccdf_org.ssgproject.content_profile_stig-rhel7-disa
xccdf_org.ssgproject.content_profile_stig-rhevh-upstream
xccdf_org.ssgproject.content_profile_ospp-rhel7
xccdf_org.ssgproject.content_profile_cjis-rhel7-server
xccdf_org.ssgproject.content_profile_docker-host
xccdf_org.ssgproject.content_profile_nist-800-171-cui
Referenced check files:
ssg-rhel7-oval.xml
system: http://oval.mitre.org/XMLSchema/oval-definitions-5
ssg-rhel7-ocil.xml
system: http://scap.nist.gov/schema/ocil/2
https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL7.xml.bz2
system: http://oval.mitre.org/XMLSchema/oval-definitions-5
Ref-Id: scap_org.open-scap_cref_ssg-rhel7-pcidss-xccdf-1.2.xml
Status: draft
Generated: 2017-10-19
Resolved: true
Profiles:
xccdf_org.ssgproject.content_profile_pci-dss_centric
Referenced check files:
ssg-rhel7-oval.xml
system: http://oval.mitre.org/XMLSchema/oval-definitions-5
ssg-rhel7-ocil.xml
system: http://scap.nist.gov/schema/ocil/2
https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL7.xml.bz2
system: http://oval.mitre.org/XMLSchema/oval-definitions-5
Checks:
Ref-Id: scap_org.open-scap_cref_ssg-rhel7-oval.xml
Ref-Id: scap_org.open-scap_cref_ssg-rhel7-ocil.xml
Ref-Id: scap_org.open-scap_cref_ssg-rhel7-cpe-oval.xml
Ref-Id: scap_org.open-scap_cref_ssg-rhel7-oval.xml000
Ref-Id: scap_org.open-scap_cref_ssg-rhel7-ocil.xml000
Dictionaries:
Ref-Id: scap_org.open-scap_cref_ssg-rhel7-cpe-dictionary.xml
# oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_standard --report report.html /usr/share/xml/scap/ssg/content/ssg-centos7-ds.xml
WARNING: This content points out to the remote resources. Use `--fetch-remote-resources' option to download them.
WARNING: Skipping https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL7.xml.bz2 file which is referenced from XCCDF content
Title Ensure Red Hat GPG Key Installed
Rule xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed
Result pass
Title Ensure gpgcheck Enabled In Main Yum Configuration
Rule xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated
Result pass
Title Ensure Software Patches Installed
Rule xccdf_org.ssgproject.content_rule_security_patches_up_to_date
Result notchecked
Title Verify and Correct File Permissions with RPM
Rule xccdf_org.ssgproject.content_rule_rpm_verify_permissions
Result fail
Title Verify File Hashes with RPM
Rule xccdf_org.ssgproject.content_rule_rpm_verify_hashes
$oscap xccdf eval --oval-results --profile server --cpe /usr/share/xml/scap/ssg/content/ssg-rhel7-cpe-dictionary.xml /usr/share/xml/scap/ssg/content/ssg-centos7-xccdf.xml
download centos oval
wget https://oval.mitre.org/rep-data/5.10/org.mitre.oval/p/platform/centos.linux.7.xml
that report is pretty out of date though! mitre hasn't updated since 2015.
try to download and run per https://www.open-scap.org/resources/documentation/perform-vulnerability-scan-of-rhel-6-machine/
these commands dont seem to make anything past 2014 either...
wget https://www.redhat.com/security/data/oval/Red_Hat_Enterprise_Linux_7.xml
oscap oval eval --results rhsa-results-oval.xml --report oval-report.html Red_Hat_Enterprise_Linux_7.xml
this one doesnt return anything at all
wget https://oval.cisecurity.org/repository/download/5.11.2/vulnerability/centos_linux_7.xml
oscap oval eval --results centos-results-oval.xml --report oval-report-centos.html centos_linux_7.xml
$ rpm -qa | grep openscap
openscap-scanner-1.2.16-8.el7_5.x86_64
openscap-1.2.16-8.el7_5.x86_64
$rpm -qa | grep scap-security-guide
scap-security-guide-0.1.36-10.el7.centos.noarch
$ pwd
/usr/share/xml/scap
Things you can scan for free:
$ find . | grep xml
./ssg/content/ssg-centos6-ds.xml
./ssg/content/ssg-centos7-ds.xml
./ssg/content/ssg-centos7-xccdf.xml
./ssg/content/ssg-firefox-ds.xml
./ssg/content/ssg-jre-ds.xml
./ssg/content/ssg-rhel7-cpe-dictionary.xml
./ssg/content/ssg-rhel7-cpe-oval.xml
./ssg/content/ssg-rhel7-oval.xml
./ssg/content/ssg-centos6-xccdf.xml
./ssg/content/ssg-firefox-cpe-dictionary.xml
./ssg/content/ssg-firefox-cpe-oval.xml
./ssg/content/ssg-firefox-ocil.xml
./ssg/content/ssg-firefox-oval.xml
./ssg/content/ssg-firefox-xccdf.xml
./ssg/content/ssg-jre-cpe-dictionary.xml
./ssg/content/ssg-jre-cpe-oval.xml
./ssg/content/ssg-jre-ocil.xml
./ssg/content/ssg-jre-oval.xml
./ssg/content/ssg-jre-xccdf.xml
./ssg/content/ssg-rhel6-cpe-dictionary.xml
./ssg/content/ssg-rhel6-cpe-oval.xml
./ssg/content/ssg-rhel6-ds.xml
./ssg/content/ssg-rhel6-ocil.xml
./ssg/content/ssg-rhel6-oval.xml
./ssg/content/ssg-rhel6-xccdf.xml
./ssg/content/ssg-rhel7-ds.xml
./ssg/content/ssg-rhel7-ocil.xml
./ssg/content/ssg-rhel7-xccdf.xml
Here is how to get a report of your compliance.
# oscap info "/usr/share/xml/scap/ssg/content/ssg-centos7-ds.xml"
Document type: Source Data Stream
Imported: 2017-10-19T18:41:07
Stream: scap_org.open-scap_datastream_from_xccdf_ssg-rhel7-xccdf-1.2.xml
Generated: (null)
Version: 1.2
Checklists:
Ref-Id: scap_org.open-scap_cref_ssg-rhel7-xccdf-1.2.xml
Status: draft
Generated: 2017-10-19
Resolved: true
Profiles:
xccdf_org.ssgproject.content_profile_standard
xccdf_org.ssgproject.content_profile_pci-dss
xccdf_org.ssgproject.content_profile_C2S
xccdf_org.ssgproject.content_profile_rht-ccp
xccdf_org.ssgproject.content_profile_common
xccdf_org.ssgproject.content_profile_stig-rhel7-disa
xccdf_org.ssgproject.content_profile_stig-rhevh-upstream
xccdf_org.ssgproject.content_profile_ospp-rhel7
xccdf_org.ssgproject.content_profile_cjis-rhel7-server
xccdf_org.ssgproject.content_profile_docker-host
xccdf_org.ssgproject.content_profile_nist-800-171-cui
Referenced check files:
ssg-rhel7-oval.xml
system: http://oval.mitre.org/XMLSchema/oval-definitions-5
ssg-rhel7-ocil.xml
system: http://scap.nist.gov/schema/ocil/2
https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL7.xml.bz2
system: http://oval.mitre.org/XMLSchema/oval-definitions-5
Ref-Id: scap_org.open-scap_cref_ssg-rhel7-pcidss-xccdf-1.2.xml
Status: draft
Generated: 2017-10-19
Resolved: true
Profiles:
xccdf_org.ssgproject.content_profile_pci-dss_centric
Referenced check files:
ssg-rhel7-oval.xml
system: http://oval.mitre.org/XMLSchema/oval-definitions-5
ssg-rhel7-ocil.xml
system: http://scap.nist.gov/schema/ocil/2
https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL7.xml.bz2
system: http://oval.mitre.org/XMLSchema/oval-definitions-5
Checks:
Ref-Id: scap_org.open-scap_cref_ssg-rhel7-oval.xml
Ref-Id: scap_org.open-scap_cref_ssg-rhel7-ocil.xml
Ref-Id: scap_org.open-scap_cref_ssg-rhel7-cpe-oval.xml
Ref-Id: scap_org.open-scap_cref_ssg-rhel7-oval.xml000
Ref-Id: scap_org.open-scap_cref_ssg-rhel7-ocil.xml000
Dictionaries:
Ref-Id: scap_org.open-scap_cref_ssg-rhel7-cpe-dictionary.xml
WARNING: This content points out to the remote resources. Use `--fetch-remote-resources' option to download them.
WARNING: Skipping https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL7.xml.bz2 file which is referenced from XCCDF content
Title Ensure Red Hat GPG Key Installed
Rule xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed
Result pass
Title Ensure gpgcheck Enabled In Main Yum Configuration
Rule xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated
Result pass
Title Ensure Software Patches Installed
Rule xccdf_org.ssgproject.content_rule_security_patches_up_to_date
Result notchecked
Title Verify and Correct File Permissions with RPM
Rule xccdf_org.ssgproject.content_rule_rpm_verify_permissions
Result fail
Title Verify File Hashes with RPM
Rule xccdf_org.ssgproject.content_rule_rpm_verify_hashes
Result pass
Title Add nodev Option to /dev/shm
Rule xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nodev
Result pass
Title Add nosuid Option to /dev/shm
Rule xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nosuid
Result pass
Title Verify that All World-Writable Directories Have Sticky Bits Set
Rule xccdf_org.ssgproject.content_rule_dir_perms_world_writable_sticky_bits
Result fail
Title Ensure No World-Writable Files Exist
Rule xccdf_org.ssgproject.content_rule_file_permissions_unauthorized_world_writable
Result pass
Title Ensure All SGID Executables Are Authorized
Rule xccdf_org.ssgproject.content_rule_file_permissions_unauthorized_sgid
Result pass
Title Ensure All SUID Executables Are Authorized
Rule xccdf_org.ssgproject.content_rule_file_permissions_unauthorized_suid
Result pass
Title Prevent Log In to Accounts With Empty Password
Rule xccdf_org.ssgproject.content_rule_no_empty_passwords
Result fail
Title Ensure that Root's Path Does Not Include World or Group-Writable Directories
Rule xccdf_org.ssgproject.content_rule_accounts_root_path_dirs_no_write
Result pass
Male configuration report using settings database
$ oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_standard --report report.html /usr/share/xml/scap/ssg/content/ssg-centos7-ds.xml
$oscap oval eval --results $(hostname)-oval-results-$(date +%Y%m%d).xml --report $(hostname)-oval-report-$(date +%Y%m%d).html /usr/share/xml/scap/ssg/content/ssg-rhel7-oval.xml
Male configuration report using settings database
$ oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_standard --report report.html /usr/share/xml/scap/ssg/content/ssg-centos7-ds.xml
$oscap oval eval --results $(hostname)-oval-results-$(date +%Y%m%d).xml --report $(hostname)-oval-report-$(date +%Y%m%d).html /usr/share/xml/scap/ssg/content/ssg-rhel7-oval.xml
$oscap xccdf eval --oval-results --profile server --cpe /usr/share/xml/scap/ssg/content/ssg-rhel7-cpe-dictionary.xml /usr/share/xml/scap/ssg/content/ssg-centos7-xccdf.xml
download centos oval
wget https://oval.mitre.org/rep-data/5.10/org.mitre.oval/p/platform/centos.linux.7.xml
make vuln report based on cves
oscap oval eval --results $(hostname)-oval-results-$(date +%Y%m%d).xml --report $(hostname)-oval-report-$(date +%Y%m%d).html centos.linux.7.xml
try to download and run per https://www.open-scap.org/resources/documentation/perform-vulnerability-scan-of-rhel-6-machine/
these commands dont seem to make anything past 2014 either...
wget https://www.redhat.com/security/data/oval/Red_Hat_Enterprise_Linux_7.xml
oscap oval eval --results rhsa-results-oval.xml --report oval-report.html Red_Hat_Enterprise_Linux_7.xml
this one doesnt return anything at all
wget https://oval.cisecurity.org/repository/download/5.11.2/vulnerability/centos_linux_7.xml
oscap oval eval --results centos-results-oval.xml --report oval-report-centos.html centos_linux_7.xml
try the patch one
https://oval.cisecurity.org/repository/download/5.11.2/patch/centos_linux_7.xml
sudo oscap oval eval --results centos-results-oval.xml --report oval-report-centos.html centos_linux_7.xml
doesn't seem to show any missing patches from a box I know is missing a few...
references:
https://community.alfresco.com/community/platform/blog/2016/12/21/hardening-assessment-and-automation-with-openscap-in-5-minutes
https://oval.mitre.org/rep-data/5.10/org.mitre.oval/p/index.html
https://serverfault.com/questions/923295/openscap-and-centos-7-oval-definitions
"wget https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL7.xml.bz2
Competitors to openscap audits vs CIS on CENT7
https://github.com/haxorof/centos-bench-security
https://github.com/massyn/centos-cis-benchmark
https://github.com/CISecurity/OVALRepo
https://oval.mitre.org/rep-data/5.10/org.mitre.oval/p/index.html
https://serverfault.com/questions/923295/openscap-and-centos-7-oval-definitions
"wget https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL7.xml.bz2
bunzip2 com.redhat.rhsa-RHEL7.xml.bz2
oscap oval eval --results rhsa-results-oval.xml --report ${HTMLPATH}/myreport.html com.redhat.rhsa-RHEL7.xml"
Competitors to openscap audits vs CIS on CENT7
https://github.com/haxorof/centos-bench-security
https://github.com/massyn/centos-cis-benchmark
https://github.com/CISecurity/OVALRepo
